diff options
| author | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-28 05:27:20 +0000 |
|---|---|---|
| committer | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-28 05:27:20 +0000 |
| commit | 7439a2a660cef336fe5e57abc73607fdf1d2e794 (patch) | |
| tree | 538884d39d83f5a47ceb6bcf7473ffe2491181e6 /content/browser/loader/resource_dispatcher_host_impl.h | |
| parent | 892940e15b801be1ab152a5672c2b3236730d790 (diff) | |
| download | chromium_src-7439a2a660cef336fe5e57abc73607fdf1d2e794.zip chromium_src-7439a2a660cef336fe5e57abc73607fdf1d2e794.tar.gz chromium_src-7439a2a660cef336fe5e57abc73607fdf1d2e794.tar.bz2 | |
Apply cross-origin auth prompt blocking to image resources only.
This CL applies both cross-origin basic auth prompt blocking, and
the stripping of embedded URL identities to image src URLs only.
See the bug for a description of why we think this is acceptable.
The first part of the change is to rename HttpAuthResourceType to
HttpAuthRelationType, to avoid confusion with ResourceType since
both are now used closely together.
Then, BuildLoadFlagsForRequest() is made a method, rather than just
a function, so it can access information needed to compute the relation
type. It blocks the sending of credentials as well as the popping
of popups for images under the right conditions.
BUG=174179
Review URL: https://chromiumcodereview.appspot.com/17738004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209100 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content/browser/loader/resource_dispatcher_host_impl.h')
| -rw-r--r-- | content/browser/loader/resource_dispatcher_host_impl.h | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/content/browser/loader/resource_dispatcher_host_impl.h b/content/browser/loader/resource_dispatcher_host_impl.h index abff21c..3ba2491 100644 --- a/content/browser/loader/resource_dispatcher_host_impl.h +++ b/content/browser/loader/resource_dispatcher_host_impl.h @@ -379,15 +379,16 @@ class CONTENT_EXPORT ResourceDispatcherHostImpl ResourceContext* context); // Relationship of resource being authenticated with the top level page. - enum HttpAuthResourceType { - HTTP_AUTH_RESOURCE_TOP, // Top-level page itself - HTTP_AUTH_RESOURCE_SAME_DOMAIN, // Sub-content from same domain - HTTP_AUTH_RESOURCE_BLOCKED_CROSS, // Blocked Sub-content from cross domain - HTTP_AUTH_RESOURCE_ALLOWED_CROSS, // Allowed Sub-content per command line - HTTP_AUTH_RESOURCE_LAST + enum HttpAuthRelationType { + HTTP_AUTH_RELATION_TOP, // Top-level page itself + HTTP_AUTH_RELATION_SAME_DOMAIN, // Sub-content from same domain + HTTP_AUTH_RELATION_BLOCKED_CROSS, // Blocked Sub-content from cross domain + HTTP_AUTH_RELATION_ALLOWED_CROSS, // Allowed Sub-content per command line + HTTP_AUTH_RELATION_LAST }; - HttpAuthResourceType HttpAuthResourceTypeOf(net::URLRequest* request); + HttpAuthRelationType HttpAuthRelationTypeOf(const GURL& request_url, + const GURL& first_party); // Returns whether the URLRequest identified by |transferred_request_id| is // currently in the process of being transferred to a different renderer. @@ -406,6 +407,10 @@ class CONTENT_EXPORT ResourceDispatcherHostImpl void UnregisterResourceMessageDelegate(const GlobalRequestID& id, ResourceMessageDelegate* delegate); + int BuildLoadFlagsForRequest(const ResourceHostMsg_Request& request_data, + int child_id, + bool is_sync_load); + LoaderMap pending_loaders_; // Collection of temp files downloaded for child processes via |